Chariot Single Sign-On (SSO) with Okta

Chariot supports Single Sign-On through Okta integration. This guide will walk you through the setup process, which involves verifying your domain ownership, creating an Okta application, and configuring the integration in Chariot. You'll need three key pieces of information to complete the setup: 

  • Client ID 
  • Client Secret 
  • Issuer URL

Domain Verification

The first step is to verify ownership of your domain by adding a DNS TXT record. Access your domain's DNS settings or management interface where you'll need to add a TXT record. The record should follow the format "chariot=<email>", where <email> is your primary Chariot account email address. You can find your primary email on Users page.

At your DNS  management interface, set the text record for your root domain. For example, if your domain is YourDomain.com and your record is set at the root level (@), you would add a TXT record with the value "chariot=YourPrimaryEmail@email.com". Within the Chariot setup pop-up, you can copy and paste this value:

Once Set, your DNS TXT record might look something like this. 

YourDomain.com Record type: value:
@ TXT "chariot=YourPrimaryEmail@email.com"

To verify that your record has been published, you can run the command dig +short TXT YourDomain.com if on a Mac or nslookup -type=TXT YourDomain.com if using Windows, and look for your record in the output.

Creating and Configuring the Okta Application

Begin by logging into your Okta admin dashboard at login.okta.com. Navigate to the Applications section and create a new app integration. When configuring the application, select "OIDC - OpenID Connect" as your sign-in method and "Web Application" as your application type.

Click Next at the bottom.

Name your application "Chariot" and configure the redirect URIs. The sign-in redirect URI should be set to https://praetorian-chariot.auth.us-east-2.amazoncognito.com/oauth2/idpresponse, and the sign-out redirect URI should be https://chariot.praetorian.com/login. Remember to configure access for any users who will need to access Chariot via SSO - this can be done under Assignments.

Optional Okta Tile Configuration

You may want to configure the Chariot Okta tile for easier access. In your application's General Settings, configure the login settings to allow initiation from either Okta or the app, enable the application icon display for users, and set the login flow to redirect to the app. Set the initiate login URI to https://chariot.praetorian.com/login.

Here's the step-by-step:

1. Under General > General Settings click the Edit link.

2. Under General > Login update the following settings:

  •  Login initiated by - Either Okta or App.
  •  Application visibility - ensure that “Display application icon to users” is enabled.
  •  Login flow - choose “Redirect to app to initiate login (OIDC Compliant)”.
  •  Initiate login URI - set to “https://chariot.praetorian.com/login”.

7. Hit “Save” to confirm your configuration changes.

Integrating with Chariot

To complete the integration, log in to Chariot using your existing credentials at chariot.praetorian.com/login. Click Settings on the bottom left menu and navigate to the Settings page. From there, you can begin the SSO setup process.

You'll need to provide several pieces of information: your email domain (such as "praetorian.com"), the Client ID and Client Secret (found in your Okta application's Client Credentials section), and your Issuer URL (your Okta login base URL, like "https://companyname.okta.com"). You can find the Client ID and Client Secret here:

Fill out the pop-up with the appropriate information:

 

Once you have filled in all of the fields, hit Save. Your users should now be able to log in to Chariot using Okta as their identity provider.

 

Post-Setup Information

Once your SSO setup is complete, users can access Chariot through the Corporate ID portal on the login page.

It's worth noting that you can remove the DNS TXT record after completing the SSO setup. However, if you need to make any changes to the SSO configuration, such as rotating secrets, you'll need to temporarily re-add the TXT record during the configuration process.

If you encounter any difficulties during setup or need assistance with SSO, reach out to support@praetorian.com for help.

By following these steps, you'll establish a secure and convenient SSO connection between your Okta instance and Chariot, allowing for streamlined access management and improved user experience.